Building automation systems (BAS) have many characteristics that differ from traditional information processing systems, including different risks and priorities. Furthermore, these types of automation systems are subject to different performance and reliability requirements, and often employ operating systems, applications and configurations that may be considered unusual IT practices.
BAS frequently encompass any electrical component or device that is used to control a building by managing security, safety and utility services, such as physical access, HVAC, heating, alarms, and lighting, among other electrical and mechanical controllers that automate the buildings.
These services are crucial to any organization; therefore, BAS should be considered, managed, and protected as part of the critical infrastructure, whereby security is an essential factor in the ongoing care and maintenance of these systems. Security-critical services like these demand the underlying control system be reliable and robust against security threats.
In order to identify the appropriate security controls for the protection of these critical systems, it is necessary to know the current status of the building automation infrastructure. Consequently, a security assessment will help any organization to accomplish this task and boost its risk management strategy. A tailored security assessment for BAS will significantly improve situational awareness by providing highly valuable insights and identifying threats and vulnerabilities that are usually off the organizations' radar.
An initial tailored approach should, at a minimum, include the evaluation, analysis, and review of the following security control groups:
Security architecture. An effective assessment must review and evaluate the architectural design of the automation control environment. Network segmentation and segregation, boundary protection controls, remote access, and firewall rules effectiveness, among other critical security controls, should be considered.
Policies, plans, procedures and baselines. Policies and procedures must be well-defined and documented. BAS systems need to be appropriately configured to maintain optimal operation by following a security strategy in a security plan with a strong foundation on documented configuration baselines. This security plan must be aligned with the enterprise architecture and the information security policy framework.
Systems and services acquisition. An adequate security assessment should cover the contracting and acquiring of automation control system components, software, and services from third parties. Since organizations must include security requirements as part of the acquisition process to ensure that the products and services received fit into the enterprise security program, assessment findings will identify existing gaps in BAS implementations, especially those associated with contracting third-party services.
Disaster recovery. The business continuity strategy should be reviewed to evaluate the effectiveness of the continuity of operation plans. Any security assessment should consider that a solid plan addresses roles and responsibilities, assigned personnel and their contact information, and detailed activities associated with responding and restoring system operations after a disruption or failure.
Other control groups such as account management, audit and accountability, configuration management, and maintenance, should be part of a more comprehensive assessment. Designing a security assessment that is too wide in scope involves the review and evaluation of tons of security controls. This approach will most likely overwhelm any team; more importantly, the resulting findings will not provide a resonant value to the different leadership levels of the organization.
Therefore, an effective strategy for designing and executing security assessments for BAS should be founded on a tailored plan of action that encompasses performance, availability, risk, operations, resources, systems communications, change management, components’ lifetimes, and location as key differentiators from traditional IT systems.
Editor’s note: Mario Navarro Palos will present further insights on this topic during his “Designing Security Assessments for Building Automation Systems” session at ISACA’s 2019 North America CACS conference, to take place 13-15 May in Anaheim, California, USA.
